metascan multi-scanning technology
DESCRIPTION
The evolving threat landscape, why multi-scanning is needed, and OPSWAT's Metascan technologyTRANSCRIPT
AgendaIntroduction to Multi-scanning
The evolving threat landscape
Why multi-scanning?
Metascan
Additional Uses of Metascan
Getting started with Metascan
The Evolving Threat LandscapeFrom hacking for fun to cracking for
profit
The Evolving Threat Landscape
20021998 2006 2012
Virus/Worm EraVirus/Worm Era Spyware and AdwareSpyware and Adware E-Crime E-Crime …… Cyber warfareCyber warfare
2010
Motivation 15 minutes of
fame
Borderline legal ways of making money
Make money fast by exploiting
Stuxnet , DuQu and Flame
Opportunity Improved
connectivity
Increase in users, web traffic & searches.
More time on Facebook, Twitter and YouTube
Easier to find personal details -> used to infiltrate organizations
Methods Quiet Attacks
Primary vectors web & mobile
Phishing attacks
Attacks focused on specific sites
Targeted Attacks
Cyber warfare
The problem:Too much malware, insufficient
detection
Over 130,000 new malicious programs appear every day
“Cyber attacks on America’s critical infrastructure increased 17-fold between 2009 and 2011.”
http://www.csmonitor.com/Commentary/Opinion/2012/0808/Help-wanted-Geek-squads-for-US-cybersecurity
The rapid growth in the amount of malware continues to accelerate
No AV vendor can keep up with the number of new malware variants
The ProblemInsufficient Detection by any one Anti-Malware Product
The SolutionMultiple Anti-Malware Engines
Increase malware zero hour detection rates
Decrease malware detection time after an
outbreak
Increase resiliency to anti-malware engines’
vulnerabilities
Why Use Multiple Anti-Malware Engines?
The SolutionEvery engine misses something
No anti-malware product is perfect but together they have a greater rate of detection due to their unique features
Engine 1Detection Rate:
Engine 2Detection Rate:
100%
Improve Detection Using Multiple Anti-Malware Engines
This graph shows the time between malware outbreak and detection by six anti-malware engines for 75 outbreaks over three months.
No vendor detects every outbreak.
Only by combining six engines in a multi-scanning solution are outbreaks detected quickly.
By adding additional engines, zero hour detection rates increase further.
* Source: av-test.org
Zero hour detection
5 min to 5 days
No detection at 5 days
Multiple Engines Increase Resiliency to Anti-Malware Engine VulnerabilitiesAnti-malware product vulnerabilities from the National Vulnerability
Database
2005 2006 2007 2008 2009 2010 2011 20120
10
20
30
40
50
60
70
Year
Num
ber o
f Vul
nera
biliti
es i
n An
tiviru
s pro
duct
s [CV
Es]
MetascanMulti-scanning solution
What is Metascan?Multi-scanning engine
A server application with a local and network programming interface that allows customers to incorporate multiple anti-malware engine scanning technologies into their security architecture
Supports 0 to 30 anti-malware engines [and growing!]
Simultaneously scans files with all engines
Scan directories, files, archives, buffers, and boot sector
Automatic online definition updates or manual offline
updates
What is Metascan?Multi-scanning engine
Flexible and scalable API driven solution Many programming Interfaces –
C++ Java PHPC#/ASP.NETRESTful (Web API)/HTTPCLI[command line interface]
Analyzes files locally on a single server or remotely accesses files from Windows, Macintosh, or Linux systems
MetascanWho uses Metascan?
Analysts who research threats in binaries CERTs (Computer Emergency Response/Readiness Teams) Government agencies Federal and State Law enforcement agencies Computer forensic analysts
IT security managers who seek to control data flow Files from public facing sharing/upload sites Data moving across internal security domains Detect infected attachments
Independent software vendors seeking to identify threats in their binaries False positives Accidental infections
Metascan Standard packages
Metascan is available in preconfigured packages that include 0-16 embedded engines
Best performance from fully embedded engines
Easy to use – engines update automatically or as a single offline package
MetascanCustom packages
Create your own custom packages
Add engines to any standard package – For example; create Metascan 20 by adding McAfee,
Symantec, Kaspersky and Sophos to the Metascan 16 standard package
Pick and choose from our custom engine list to create your own custom package (currently up to 30 engines)
Additional Uses of Metascan
Metascan Online (www.metascan-online.com)• Online implementation of Metascan with 40+ engines• Upload and Scan files• Lookup by file hash• Web Interface and REST API
Metadefender• Metascan client that examines the content on physical
media such as USB flash drives, CDs and DVDs.• Available as standalone software or as a physical kiosk
Getting Started with Metascan
For more information on Metascan and Metadefender go to: http://www.opswat.com/metascan
For a free 30 day trial of Metascan and Metadefender go to: http://portal.opswat.com
If you would like more information about purchasing Metascan or Metadefender please contact OPSWAT Sales at: [email protected]
If you have feedback or questions about Metascan or Metadefender contact OPSWAT Product Management at: [email protected]